Use After Free Affecting usd-core package, versions [,25.8)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-USDCORE-13537511
- published13 Oct 2025
- disclosed2 Oct 2025
- creditSonghyun Bae
Introduced: 2 Oct 2025
New CVE NOT AVAILABLE CWE-416 (opens in a new tab)How to fix?
Upgrade usd-core to version 25.8 or higher.
Overview
usd-core is a Pixar's Universal Scene Description
Affected versions of this package are vulnerable to Use After Free. Affected versions of the usd-core package are vulnerable to Use-After-Free due to unsynchronised destruction of Sdf_PrimPathNode objects in the Sdf_PathNode module that permits access to freed memory. The pxr/usd/sdf/path.cpp code path involving Sdf_PrimPathNode::~Sdf_PrimPathNode can be exercised concurrently, creating a race in which one thread frees a node while another continues to reference it, as evidenced by crashes observed across OpenUSD tools such as sdfdump, usdtree, usdcat, and sdffilter.